[unisog] MSN Messenger - two questions

David Lundy dlundy at pacific.edu
Tue Feb 20 22:04:29 GMT 2007


Brian:
      I have appreciated your comments as well as others about IM
security.  We haven't really addressed it.  I would like to say that we
are hearing from our admissions that a significant number of prospective
students consider email "so last century."  So I believe IM in
admissions will be an issue for us as well.

David Lundy

----
David Lundy
Acting IT Security Officer
University of the Pacific
Stockton, CA 95211
Email: dlundy at pacific.edu
Voice: 209-946-3951
Fax: 209-946-2898

>>> Brian Eckman <eckman at umn.edu> 02/20/07 1:41 PM >>>
Alan,

Comments within.

Alan Rothenbush wrote:
> Background:
> 
> I'm now under some pressure to "release" MSN Messenger to a group of
my users, 
> some of them senior administrators.
> 
> To date, the answer has been "no, insecure, next question", and as I
"own" the 
> machines and the users are but users, it has not yet been installed.

I'd argue that it is less insecure than E-mail. At least you don't
have
to protect the server.

> 
> Sadly, these bosses (at least one of whom can fire me) now present a

> legitimate business need for which I have no other solution, the
problem 
> being that prospective students almost universally choose some sort
of IM as 
> the preferred form of communication.  

Using IM to converse with prospective students? I don't work in
Admissions, but that seems more than a little odd to me. Maybe a "live
help" Java applet on a "Have Questions?" type of Web page is
manageable,
and perhaps whatever solution like this that they want interfaces with
MSN Messenger (I doubt it), but chatting via IM with prospective
students does not sound professional nor productive to me.

> 
> (The Instant Gratification generation, I suppose, making me once
again feel my 
> age)
> 
> Since we (annoyingly) do need students around the place, I'm probably
going to 
> have to come up with some solution.
> 
> My concerns (perhaps unfounded) are the need to open up the built-in
XP 
> firewall to a server off in the big bad internet, allowing access to
an 
> application that I think has historic security issues.

MSN Messenger hasn't been much of an issue as far as client security
goes. Also, there shouldn't be any need to allow it through the
firewall, at least not for most uses. It can make an outbound
connection
to the MSN servers, and the chat can go through those (this is the
default behavior anyways).

> 
> Question 1:
> 
> Are my concerns unfounded ?  

Mostly. The security concerns with IM aren't far off those with
E-mail.
However, many folks have E-mail Anti-virus, Anti-spam and/or content
defanging, and thus aren't really used to receiving several viruses
each
day (anymore, that is).

These days, the IM threat is mostly when someone on your "buddy list"
gets 0wned, and their bot starts sending IMs with a link to the bot
malware hosted on some Web page. The bot herder (if you will) can
control whatever message and link are sent, and some of them are
pretty
good at social engineering. If the users are educated well enough to
know not to fall for this type of social engineering, the threat level
is pretty low.

While adding thousands of prospective students to your "buddy list"
would be a great way to keep tabs on the location of the latest IRC
bot
distribution points, it is a terrible way to communicate with them.
Offer a Java applet on a Web page for "Live Help" if that's the
functionality you need.

> 
> (My response "they're all wrong" to the statement "every other
university does 
> it" doesn't seem to be enough of an explanation)
> 
> Question 2:
> 
> If it turns out I have to do this, any tips for keeping things safe
?

The safest way to IM is to accept messages only from people on your
"buddy list". However, that doesn't scale well in this scenario. You'd
have to publish your IM info publicly, and accept messages from
anyone.
That opens up a wealth of potential social engineering attacks, far
beyond just links to malware. It also opens you up to potential
attacks
against the client itself, should it have a unpatched vulnerability.
It's cheaper to do, less time consuming, and harder to trace to
attempt
to gain sensitive information via things like IM than it is to make a
phone call when you're trying to impersonate someone, so I imagine Bad
Guys(tm) will try it. Also, restricting this "valuable resource" to
MSN
Messenger (as opposed to other, more popular IM networks) restricts
your
client base. Not everyone has MSN Messenger (non-Windows computers,
anyone?). (Even if they do or use a 3rd party client that works over
the
MSN Messenger network, they might not want school administration to
know
their IM screen name.) Most folks have Java and a Web browser, and if
they don't, they probably aren't about to use MSN Messenger anyways.

And naturally, running Windows using a regular user account (not in
the
Administrators *nor* Power Users group) is strongly suggested, whether
or not you install IM software.

> Thanks in advance.
> 
> 
> Alan
> 

In summary, IM itself isn't much of a security risk. The risk is that
you:
- are opening people up to a new avenue for social engineering
- risk a loss of productivity, as they spend too much time chatting
- risk alienating everyone who wants to use this service, but doesn't
choose to use the IM network that you decide on

Personally, I suspect that these people either:
- want to IM their family, friends and collegues, and are making up a
lame excuse so that they can do so
- haven't thought this through, and/or don't know what options there
are, and are simply jumping on the first bandwagon they can think of
to
appeal to the next generation of students

My gut tells me the first is the case, but I've been wrong before (so
my
wife tells me). However, if someone paying you tells you to do it, I'd
suggest you offer up alternatives, but be prepared to install it if
asked.

Good luck,
Brian
-- 
Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance
_______________________________________________
unisog mailing list
unisog at lists.dshield.org 
https://lists.sans.org/mailman/listinfo/unisog


More information about the unisog mailing list